Sony websites hit with PSN password exploit

The latest PSN update forces you to change your password, but if you’re not careful, someone else might do it for you.

Maybe it was all too good to be true.

The PSN has only been up for a few days, but somebody has already discovered an exploit on the website Sony set up to help people change their passwords. Specifically, the website will apparently grant access to anyone with the proper birth date and email address, and while the password change triggers a confirmation email, hackers can still come up with a new password without going through your inbox.

The exploit was first reported by Nyleveia and later confirmed on NeoGAF. Sony has since disabled the PSN sign-in feature on a number of Sony websites – including PlayStation.com and the PlayStation forums – and the website that was being used to change passwords has been taken down for maintenance, presumably to patch the exploit.

Fortunately, while the problem is embarrassing, it otherwise doesn’t seem to be nearly as bad as it sounds. For one thing, it’s not the most convenient exploit for a hacker. The passwords can only be changed one at a time, and it’s highly unlikely that anyone would be inclined to individually alter 77 million accounts after everyone has already changed their credit card information. You also would have received a confirmation email in the event of an unauthorized password change, so if you haven’t heard anything from Sony, your account should still be safe.

The people using the exploit aren’t re-hacking Sony’s entire network. They’re basically using keys to walk through the front door and rearrange your furniture, and while people have pointed out that birth dates and email addresses were stolen when the PSN was compromised, that information is also readily available on Facebook.

For those reasons, I’m not convinced that this latest incident is really comparable to the initial PSN security breach. Nobody has accessed the full database so the scope of the exploit is relatively minor in practical terms, and while Sony’s relationship with the public is even more fragile than it was before, it’s about what I’d expect from a major corporation. I don’t think any company would fare much better while targeted by a group of hackers looking to cause chaos, and I think it’s safe to say that someone clearly has it in for Sony.

Unfortunately, the anarchy nonsense is far more of a nuisance for Sony’s customers and business partners than it is for Sony, and the whole saga is well beyond the point of exasperating. Sony will continue to do business – they could probably shut down its entire game division and still turn a profit – and the fans who have spent hundreds and thousands of dollars to play PS3 games won’t thank the hackers bringing down the Network.